CVE-2026-35664

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25

Description OpenClaw contains an authentication bypass issue in the raw card send surface. This allows unpaired recipients to create legacy callback payloads, bypassing DM pairing restrictions and reaching callback handling without authorization. The issue was resolved by rejecting legacy raw-card command payloads, ensuring callbacks remain on the normal paired path.

Recommendations Update to version 2026.3.25 or later.

Fix

Authentication Bypass Using an Alternate Path or Channel

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-863

Related Identifiers

CVE-2026-35664

GHSA-77W2-CRQV-CMV3

Affected Products

Openclaw

CVE-2026-35664

Weakness Enumeration

Related Identifiers

Affected Products

References · 7